Network Security in the Organization - Report Example

How our organisation will provide the core services (both business and computing) Our organisation provides three ways to get access to the Internet. Which method is chosen is determined by the size and capability of the organisation or individual: Connect via LAN Server This approach requires the user to install on his/her PC a network adopter card and Open datalink Interface (ODI) or Network Driver Interface Specification (NDIS) packet drivers. These drivers allow multiple protocols to run on one network card simultaneously. LAN servers are typically connected to the Internet at 56 kbps or faster. Such speed makes for an exciting trip on the Internet but is also very expensive - $2000 a month. However we provide the facility to share the cost of this connection among several dozen LAN users to get to a reasonable cost per user. Additional costs associated with a LAN connection to the Internet include the cost of the protocol software. Connect via SLIP/PPP This approach requires a modem and the TCP/IP protocol software plus serial line Internet protocol (SLIP) or point-to-point protocol (PPP) software. SLIP and PPP are two communication protocols that transmit packets over telephone lines, allowing dial-up access to the Internet. If someone were running Windows, he would be using Winsock. Users must have an Internet Service Provider that lets them dial into a SLIP/PPP server. We provide the services by selling SLIP/PPP accounts for $30 a month. With all this in place, a modem is used to call into the SLIP/PPP server. Once the connection is made, customer is on the Internet and can access any of its resources. The cost includes the cost of the modem and software plus our charges for the access to the SLIP/PPP server. The speed of this Internet connection is limited to the computer’s modem and the speed of the modem of the SLIP/PPP server to which a customer is connected. Connect via Dell Service Provider This approach requires nothing more than what is required to connect to any of the on-line information services – a modem, standard communications software and an online information service account like ours’. We charge a normal fixed monthly cost for basic services, including e-mail. Besides e-mail and access to the world-wide-web, we provide a wide range of other services as well like hosting, domain etc Dell Service Provider In choosing an Internet Service Provider, the important criteria that the customer asks for is the cost, reliability, security, the availability of enhanced features and the service provider’s general reputation is concerned. Reliability is critical because if your connection to the ISP fails, it interrupts your communications with customers and suppliers. Among the value added services we provide are e-commerce, networks to connect employees, networks to connect with business partners, host computers to establish your own web site, web transaction processing, network security and administration and integration services. In addition when organisations go with our ISP-hosted network, they can also tap the ISP’s national infrastructure at minimum cost. Since we don’t have offices spread throughout the country, there is no use of doing such thing. Details of potential weaknesses and threats Currently our organisation is dealing with new issues almost daily. Control, access, hardware and security issues affect our network to a great extent but the most critical problem, which we are confronting, is ‘service bottlenecks’. Bottle Networking Our organisation is aware of the fact that traffic on networks increases every day. The primary cause of service bottlenecks is simply the phenomenal growth. Traffic volume on company intranets is growing even faster than the Internet. Companies providing Internet Service often underestimate the amount of computing power and communications capacity they need to service all the “hits” or request for pages they get from web cruisers. The same thing happened in our case and the web server computers are overwhelmed with thousands of hits per hour. Slow modems and the copper-based telephone wire system that carries the signal into an office or home are the two current primary bottlenecks. For most users these two limit a user’s maximum access speed to around 56 kbps, which is still too slow for 16-bit stereo sound and smooth full screen video. In this respect we have made connection agreements with other companies so that we can accept each other’s traffic and provide a certain level of service. But that is not a solution to the problem and does not work every time. At some interconnect points where major Internet operators hand off to one another, one operator may not be able to accept incoming traffic fast enough because its lines are overloaded with traffic. Our organisation has suffered through this situation when we linked with Pacific Nations. Most providers lease their lines from phone companies, but due to the high cost some providers scrimp, leading to inadequate capacity, which slows transmissions. Routers, the specialised computers that send packets down the right network pathways, can also become bottlenecks. For each packet, every router along the way must scan a massive address book of about 40,000 area destinations to pick the right one. These routers can get overloaded and loose packets. The TCP/IP protocol compensates for this by detecting a missing packet and requesting the sending device to resend the packet. However, this leads to the vicious circle as the network devices continually try to resend lost packets resulting in long response times or loss of the connection to the Internet. Other Security Threats and Weaknesses Denial of service (DoS) and distributed denial of service (DDoS) attacks: As with all denial of service attacks, the objective of a DDOS is to overload a server with so many requests that it goes down. Until recently, attackers were restricted to launching attacks from a single point. With DDOS, an attacker can hack into thousands of sites, install the flooding software, and then push a button to coordinate all those sites to send requests at the same time. When a group of attackers band together to launch a DDOS attack, the results can be devastating. The International Computer Security Association ranks DDOS attacks as an important new threat that security managers should keep on their radar screens. The software products used to execute these types of attacks are Tribe Flood Net 2K (TFN2K is an upgraded version of the previous single-point DOS software) and Trinoo. Both spoof IP addresses to make it difficult to detect the origin of the attack, and TFN2K can forge packets that appear to come from legitimate neighbouring machines. (Neeley, 2000) Excessive traffic and resource depletion caused by infected machines can generate problems for ISPs: If backups are inadequate, the data and programs may never fully function again. Attacking Border Gateway Protocol (BGP) routing: and injecting faulty BGP routes for traffic redirection is one technique that attackers are using to obtain the ‘interesting’ traffic. (Cisco2006) Domain Name System (DNS) information is sometimes used to redirect Internet traffic to serve the needs of people with criminal intent. (Cisco2006) Recommended Security Measures At the most basic level, the service provider can take steps to control the flow of the information. This happens, for example, whenever a Web-page operator conditions access to the page on the users’ presentation of information. Consider the many precautions taken by adult Web pages. Some pages simply warn minors or persons from certain geographical locations not to view or enter, and disclaim legal liability if they do. Others condition access on proof of age or on membership in one of dozens of private age verification services. Others require potential end-users to send by fax or telephone information specifying age and geographical location. Still others label or rate their pages to accommodate enduse-filtering software. Finally, digital identification technology developed for Internet service providers as well as users a way to authenticate the identity of a party in a cyberspace transaction. Although digital identification is usually used to verify who someone is, it can also be used to verify other facts about cyberspace users, such as their nationality, domicile, or permanent address. At the other end of the distribution chain, end-users can employ software filters to block out or discriminate among information flows. Parental control software is the most prominent example of an end-user filter, but many businesses and other local area networks also employ these technologies. Content filters also can be imposed at junctures along the cyberspace information stream between content providers and end-users. They can be imposed, for example, at the network level or at the level of the Internet service provider. They can also assist governments in filtering information at the national level. A government can choose to have no Internet links whatsoever and to regulate telephone and other communication lines to access providers in other countries. China, Singapore, and the United Arab Emirates have taken the somewhat less severe steps of (a) regulating access to the Internet through centralized filtered servers and (b) requiring filters for in-state Internet service providers and end-users. We have seen that Germany has chosen to hold liable Internet access providers who have knowledge of illegal content and fail to use “technically possible and reasonable” means to filter it. The Federal Communications Commission recently required V-chip blocking technology to be placed in computers capable of receiving video broadcasting, and pending antispam legislation would impose identification requirements on commercial e-mail senders and filtering requirements on Internet service providers. There are numerous other possibilities. As a consequence, the Internet enables many types of server machines to interoperate with one another, since information in otherwise incompatible formats is treated as fungible by the network. Specific and possibly incompatible functions are pushed to the end-user machines at the ends of the network, and the standard protocols connecting the machines at the edge of the Internet act as a kind of translator between them. The result of this design is a system that is relatively insensitive to geography in several different aspects. Within the system, it is logical location that counts, and not geographic location: the network is designed to route packets according to their Internet addresses, without regard to geographic origin or destination. The machine to which an Internet address is assigned has, of course, a physical location, but that is not reflected in the logical address of the machine. This fact is well demonstrated by the very common technique of dynamic Internet Protocol (IP) address assignment, used as a strategy for managing user connectivity. Rather than managing a single IP address, ISPs will frequently manage a block of addresses, assigning them to users temporarily as needed for a particular network session. Thus, the connection used by a given subscriber will likely resolve to different IP addresses on a daily, perhaps hourly, basis. Tools and Techniques In order to secure network devices, we have to view the security issues from the perspective of these three planes, i.e., control plane, management plane and data plane. Securing the Control Plane The control plane covers mostly IP signalling traffic on an ISP’s network. Packets that belong to the control plane do not carry any of the users’ information. Instead, they contain information on how to carry the packets that constitute the customer's traffic, they carry primarily routing protocols. Besides general ISP architectural recommendations, the following elements of BGP hardening are considered the most important in the service provider security paradigm: (Cisco2006) Ingress filtering of BGP updates from customers: Every customer should be allowed to advertise only the known networks that have been assigned to them. Some of the default ranges that should normally be filtered out of BGP between peers are private or special use addresses or unassigned addresses spaces. (Cisco2006) Control plane policing and receive path access control lists (ACLs) are per-box measures that provide centralized control of the traffic destined to the router, most of which normally consists of control plane packets. Using these features enables administrators to employ modular quality of service command-line interface (MQC) service policies and ACLs to secure all the traffic that is destined for router CPUs. These features help administrators provide more scalable and simpler security, especially when compared to the alternative of per-interface ACL deployment for a similar purpose. (Cisco2006) Securing Management Plane Unnecessary services should be turned off, and it is advisable to turn off Cisco Discovery Protocol at the network edges. Running any unnecessary and possibly unsecured service on network devices leaves a potential hole that can be used for a DoS attack. (Cisco2006) Enable secret password should be used to protect administrative access to routers. (Cisco2006) One-time passwords can be used when SSH is not available on the given device. This method ensures password confidentiality even over unencrypted Telnet sessions. (Cisco2006) Authentication, authorization, and accounting (AAA) should be used for administrative access. AAA is usually based on the TACACS protocol because TACACS provides the most comprehensive support for authorization of the commands available in command-line interface (CLI) sessions. (Cisco2006) Local passwords, irreversibly encrypted, should be used as a last-resort backup if the TACACS server is not working or is not accessible. (Cisco2006) Logging messages to syslog servers should be used with an informational or warning level. The source address for syslog messages should also be set to the loopback address. Logging to the console port should be turned off. (Cisco2006) Network Time Protocol (NTP) should be used to keep the time synchronized among routers. It is also advisable to activate security mechanisms for NTP to prevent attacks against this protocol. (Cisco2006) SNMP should not use default communities. Generally, SNMP access should be restricted to read-only privileges. Access lists should be used to restrict IP addresses from which SNMP requests can originate. (Cisco2006) Securing the Data Plane Data plane security encompasses the actual packets that carry customer traffic. In contrast to the management and control plane, traffic on the data plane just goes through network devices and is not destined for any of the interfaces on the device. Administering ACLs is the most important part of handling data plane security. Deploying ACLs is important primarily on the network edges, where multiple types of traffic need to be blocked. (Cisco2006) Antispoofing ACLs provide traffic filtering of source addresses from the service provider's own address space. By filtering out packets with the source address ranges belonging to the internal IP space, a service provider provides the basis for per-service source-based ACL deployment (such as SNMP access lists or vty access classes). Antispoofing ACLs also prevent reflection attacks that rely on the reply packets destined toward the internal spoofed addresses. (Cisco2006) Infrastructure ACLs (IACLS) are normally deployed on the edges of a service provider's network with the goal of blocking traffic that should never be seen on the network and is destined toward the IP range belonging to the network infrastructure. The IACLs provide filtering of unwanted packets on the network edges. Deploying IACLs is an iterative task that requires identifying the traffic from the outside that needs to be filtered out and the traffic directed toward the network infrastructure that needs to be allowed in. Infrastructure ACLs complement the receive-path ACLs (RACLs) and control plane policing that are deployed throughout the network on a per-device basis. (Cisco2006) References Neeley Dequendre, (2000). New Denial of Service Attack: Security Management. Volume: 44. Issue: 3. Page Number: 28. Cisco2006, accessed from Read More